Missing "A" DNS record for openbsd.org ?

2014-02-28 Thread nobody 
Hello,
##


$ dig -t any openbsd.org @8.8.8.8

; <<>> DiG 9.8.1-P1 <<>> -t any openbsd.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52763
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;openbsd.org.INANY

;; ANSWER SECTION:
openbsd.org.21599INSOAzeus.theos.com. root.theos.com.
950602 17200 3600 360 86400
openbsd.org.21599INNSzeus.theos.com.
openbsd.org.21599INNSns.sigmasoft.com.
openbsd.org.21599INNSa.ns.bsws.de.
openbsd.org.21599INNSc.ns.bsws.de.
openbsd.org.21599INNSns1.telstra.net.
openbsd.org.21599INNSns1.superblock.net.
openbsd.org.21599INNSns2.superblock.net.
openbsd.org.21599INMX6 shear.ucar.edu.
openbsd.org.21599INMX10 cvs.openbsd.org.

;; Query time: 61 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Feb 28 16:08:34 2014
;; MSG SIZE  rcvd: 293

##
and:

$ dig -t any www.openbsd.org @8.8.8.8

; <<>> DiG 9.8.1-P1 <<>> -t any www.openbsd.org @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59628
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.openbsd.org.INANY

;; ANSWER SECTION:
www.openbsd.org.21599INA129.128.5.194

;; Query time: 41 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Feb 28 16:08:50 2014
;; MSG SIZE  rcvd: 49

$

##

Does anybody knows about this?

Thanks, happy weekends.

Re: Missing "A" DNS record for openbsd.org ?

2014-02-28 Thread Ted Unangst 
On Fri, Feb 28, 2014 at 16:23, nobody wrote:
> Does anybody knows about this?

openbsd.org does not have an A record. This should not affect you.

Re: Missing "A" DNS record for openbsd.org ?

2014-02-28 Thread Marko Cupać 
On Fri, 28 Feb 2014 10:48:13 -0500
Ted Unangst  wrote:

> openbsd.org does not have an A record. This should not affect you.

This is strange. I think I was able to access www.openbsd.org via http
on openbsd.org as well.
-- 
Marko Cupać

Re: Missing "A" DNS record for openbsd.org ?

2014-02-28 Thread Ingo Schwarze 
Hi Marko,

Marko Cupac wrote on Fri, Feb 28, 2014 at 05:10:13PM +0100:
> On Fri, 28 Feb 2014 10:48:13 -0500 Ted Unangst wrote:

>> openbsd.org does not have an A record. This should not affect you.

> This is strange. I think I was able to access www.openbsd.org
> via http on openbsd.org as well.

No, you were not.  Both were different sites, located on different
machines, in different cities, with different content.

The site openbsd.org was never intended for public consumption.
It always was a test site intended for development only.
It was often out of date or ahead of time with respect to the
public site, www.openbsd.org.

Yours,
  Ingo

Re: Missing "A" DNS record for openbsd.org ?

2014-02-28 Thread nobody 
umm, but isn't a CNAME or redirect or whatever should be needed? So if
people type in the browser:

openbsd.org

they can be redirected to www.openbsd.org ?

Thanks.



On Fri, Feb 28, 2014 at 5:23 PM, Ingo Schwarze  wrote:

> Hi Marko,
>
> Marko Cupac wrote on Fri, Feb 28, 2014 at 05:10:13PM +0100:
> > On Fri, 28 Feb 2014 10:48:13 -0500 Ted Unangst wrote:
>
> >> openbsd.org does not have an A record. This should not affect you.
>
> > This is strange. I think I was able to access www.openbsd.org
> > via http on openbsd.org as well.
>
> No, you were not.  Both were different sites, located on different
> machines, in different cities, with different content.
>
> The site openbsd.org was never intended for public consumption.
> It always was a test site intended for development only.
> It was often out of date or ahead of time with respect to the
> public site, www.openbsd.org.
>
> Yours,
>   Ingo

Re: Missing "A" DNS record for openbsd.org ?

2014-02-28 Thread patric conant 
On Fri, Feb 28, 2014 at 10:30 AM, nobody wrote:

> umm, but isn't a CNAME or redirect or whatever should be needed? So if
> people type in the browser:
>
> openbsd.org
>
> they can be redirected to www.openbsd.org ?
>
> Thanks.
>
>
>
> On Fri, Feb 28, 2014 at 5:23 PM, Ingo Schwarze  wrote:
>
> > Hi Marko,
> >
> > Marko Cupac wrote on Fri, Feb 28, 2014 at 05:10:13PM +0100:
> > > On Fri, 28 Feb 2014 10:48:13 -0500 Ted Unangst wrote:
> >
> > >> openbsd.org does not have an A record. This should not affect you.
> >
> > > This is strange. I think I was able to access www.openbsd.org
> > > via http on openbsd.org as well.
> >
> > No, you were not.  Both were different sites, located on different
> > machines, in different cities, with different content.
> >
> > The site openbsd.org was never intended for public consumption.
> > It always was a test site intended for development only.
> > It was often out of date or ahead of time with respect to the
> > public site, www.openbsd.org.
> >
> > Yours,
> >   Ingo
>
>

Citation needed, please direct us to the rfc that states example.org should
contain content, or redirect to www.example.org. I'm not sure why this is
so tough for people, but openbsd.org pointed to a machine in Theo's house
that had a slow link, and contained a not intended for public consumption
mock-up of the site.Use of it as a testbed has been discontinued. There
shouldn't be any links to that machine, and if there are they should die.
If you are unduly burdened by having to type the machine name of web server
into your browser, I vastly apologize. Please let this and all other
discussion (people have been asking why it was out of sync with www for
years) of the web content of openbsd.org die.

Re: Missing "A" DNS record for openbsd.org ?

2014-02-28 Thread L. V. Lammert 
On Fri, 28 Feb 2014, nobody wrote:

> umm, but isn't a CNAME or redirect or whatever should be needed? So if
> people type in the browser:
>
> openbsd.org
>
> they can be redirected to www.openbsd.org ?
>
> Thanks.
>
It SHOULD be that way, .. nobody that cares about security wants "maybe if
something do this" type of situations anywhere in the system, even in DLS.

Forcing www is adhering to good practices, and that's what OpenBSD is
about, IMHO.

Lee

Re: Missing "A" DNS record for openbsd.org ?

2014-03-01 Thread Hugo Villeneuve 
On Fri, Feb 28, 2014 at 05:10:13PM +0100, Marko Cupa?? wrote:
> On Fri, 28 Feb 2014 10:48:13 -0500
> Ted Unangst  wrote:
> 
> > openbsd.org does not have an A record. This should not affect you.
> 
> This is strange. I think I was able to access www.openbsd.org via http
> on openbsd.org as well.

It is common for modern browser to automatically try www.CURRENTDOMAINTRIED
when CURRENTDOMAINTRIED doesn't have a A or  address. It's a
browser feature.


openbsd.org doesn't have a CNAME record. CNAME record are dangerous.
They invalidate every other DNS record type associated with that
entry. (That's why you usually add a A record to a domain name so
that all the SOA, NS, MX records don't get affected.)

Re: Missing "A" DNS record for openbsd.org ?

2014-03-01 Thread Joshua Smith 
> On Mar 1, 2014, at 3:21 AM, Hugo Villeneuve  wrote:
> 
>> On Fri, Feb 28, 2014 at 05:10:13PM +0100, Marko Cupa?? wrote:
>> On Fri, 28 Feb 2014 10:48:13 -0500
>> Ted Unangst  wrote:
>> 
>>> openbsd.org does not have an A record. This should not affect you.
>> 
>> This is strange. I think I was able to access www.openbsd.org via http
>> on openbsd.org as well.
> 
> It is common for modern browser to automatically try www.CURRENTDOMAINTRIED
> when CURRENTDOMAINTRIED doesn't have a A or  address. It's a
> browser feature.

And a terrible idea IMHO. 

> 
> 
> openbsd.org doesn't have a CNAME record. CNAME record are dangerous.

Cannes themselves are not dangerous, however when being used for the "root" of 
a domain is _usually_ a bad idea just for the reasons you mentioned below. 


> They invalidate every other DNS record type associated with that
> entry. (That's why you usually add a A record to a domain name so
> that all the SOA, NS, MX records don't get affected.)
> 

Regards,
-
Josh Smith
KD8HRX

Re: Missing "A" DNS record for openbsd.org ?

2014-03-01 Thread Theo de Raadt 
> Cannes themselves are not dangerous, however when being used for the
> "root" of a domain is _usually_ a bad idea just for the reasons you
> mentioned below.

If you start your own successfull project, you also can develop your
own set of reasons for doing any of a variety of operational things
at any point in time.

In that situation, you would probably want to be left in piece.

You seem to have a rather over-extented sense of entitlement towards
telling me that I'm doing it wrong.  I hope it makes you feel really
good.

Re: Missing "A" DNS record for openbsd.org ?

2014-03-01 Thread Joshua Smith 
Theo,
Perhaps you misunderstood what I said. I have no gripe or issue with the 
openbsd project.  It's unarguable that having a CNAME record at the apex of a 
domain can lead to issues. I'm sure someone as intelligent and accomplished as 
yourself can find the relevant documentation. 

 I could care less if openbsd.org has an A record; www.openbsd.org is an A 
record, cname or any other type of record; or if the two domain names resolve 
to the same place or not. 

I was simply expanding on the technical point that openbsd.org should not be a 
cname. 


Thanks,
--
Josh Smith
KD8HRX

Email/jabber: juice...@gmail.com
Phone: 304.237.9369(c)

Sent from my iPhone. 

On Mar 1, 2014, at 8:20 AM, Theo de Raadt  wrote:

>> Cannes themselves are not dangerous, however when being used for the
>> "root" of a domain is _usually_ a bad idea just for the reasons you
>> mentioned below.
> 
> If you start your own successfull project, you also can develop your
> own set of reasons for doing any of a variety of operational things
> at any point in time.
> 
> In that situation, you would probably want to be left in piece.
> 
> You seem to have a rather over-extented sense of entitlement towards
> telling me that I'm doing it wrong.  I hope it makes you feel really
> good.

Re: Missing "A" DNS record for openbsd.org ?

2014-03-01 Thread Jan Stary 
On Mar 01 06:20:20, dera...@cvs.openbsd.org wrote:
> In that situation, you would probably want to be left in piece.

"Left in piece" goes straight to the amusing typos list.

Re: Missing "A" DNS record for openbsd.org ?

2014-03-01 Thread Zeb DeOs 

Cannes themselves are not dangerous, however when being used for the
"root" of a domain is _usually_ a bad idea just for the reasons you
mentioned below.


You seem to have a rather over-extented sense of entitlement towards
telling me that I'm doing it wrong.  I hope it makes you feel really
good.



Joshua Smith did not tell you that you are doing it wrong. He pointed 
out that CNAMEs are not _always_ a bad thing in general, which was in 
response to someone else who seemed to imply they were. He also was 
saying browsers do wrong by trying www automatically when the apex 
doesn't resolve. He made no comment with respect to the openbsd.org 
domain configuration or "operational things".


-Zeb DeOs

Re: Missing "A" DNS record for openbsd.org ?

2014-03-01 Thread Theo de Raadt 
> >> Cannes themselves are not dangerous, however when being used for the
> >> "root" of a domain is _usually_ a bad idea just for the reasons you
> >> mentioned below.
> >
> > You seem to have a rather over-extented sense of entitlement towards
> > telling me that I'm doing it wrong.  I hope it makes you feel really
> > good.
> >
> 
> Joshua Smith did not tell you that you are doing it wrong. He pointed 
> out that CNAMEs are not _always_ a bad thing in general, which was in 
> response to someone else who seemed to imply they were. He also was 
> saying browsers do wrong by trying www automatically when the apex 
> doesn't resolve. He made no comment with respect to the openbsd.org 
> domain configuration or "operational things".

I was reporting (and trying to fix) security holes in libc's CNAME
handling back in 1989, so I know.

Please don't do that lecturing thing.